Search results

Document and record control procedure means what are the procedure will include?

Document control involves ISO 17025 mandatory documents as well as those you develop. It is not just about the unique identifiers (document name, number) and revision number. The purpose of document control is that plus to make sure the correct documents are in use, obsolete version are taken out of use. Furthermore, to make sure all documents are reviewed periodically and have been approved.

For more information see

a similar question at https://community.advisera.com/topic/document-control-6/
the ISO 17025 toolkit document template: Document and Record Control Procedure at https://advisera.com/17025academy/documentation/document-and-record-control-procedure/
the article List of mandatory documents required by ISO 17025:2017 at https://advisera.com/17025academy/blog/2019/08/30/list-of-mandatory-documents-required-by-iso-170252017/
the whitepaper Checklist of mandatory documents required by ISO 17025:2017 available from https://advisera.com/17025academy/free-downloads/

ISO 27001 and ISO 20000 certification

Please note that ISO 27001 and ISO 20000 have different objectives, and core requirements, so only one of them is not enough to fulfill the criteria for both certifications. However, they share many requirements, which makes implement them together easier.

Now, regarding the necessity, this only can be evaluated based on your organization’s strategies and objectives. For example, if your core business is related to the provision of IT services and you have a clear demand for information protection, then both certifications would help.

These articles will provide you a further explanation about ISO 27001 and ISO 20000 integration:

• How to implement ISO 27001 and ISO 20000 together https://advisera.com/27001academy/blog/2015/03/16/how-to-implement-iso-27001-and-iso-20000-together/
• How to implement integrated management system https://advisera.com/articles/how-to-implement-integrated-management-systems/

These materials will also help you regarding ISO 27001 and ISO 20000 integration:

• How to integrate ISO 27001 and ISO 20000 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-integrate-iso-27001-and-iso-20000-free-webinar-on-demand/
• ISO 27001 vs. ISO 20000 matrix (PDF) https://info.advisera.com/27001academy/free-download/iso-27001-vs-iso-20000-matrix

Can CE agency also recognize the same 13485 standard?

If I understand your question correctly, you are asking do notify bodies to recognize standard ISO 13485:2016 as a quality management standard. 

According to the MDD, all manufacturers must be in compliance with applicable harmonized standards. Harmonized standards are standards published by the European Commission in the Official Journal of the European Union. On that list, ISO 13485 is the only standard that covers the quality management system. 

Considering the MDR, there is still no list of harmonized standards published that will answer MDR requirements. It is expected that a new list of harmonized standards will be published by May 2021. Therefore, ISO 13485:2016 is still not harmonized to the MDR.

For more information, please see the following articles:

• What are EU harmonized standards? https://advisera.com/13485academy/blog/2020/06/12/what-are-eu-harmonized-standards/
• EU MDR Article 8 – Use of harmonized standards https://advisera.com/13485academy/mdr/use-of-harmonised-standards/

• Information security objectives

  Let´s evaluate it considering S.M.A.R.T. concepts:

  • Specific (target a specific area for improvement): This aspect is covered by the text “Define and establish the general guidelines of information security in the company,…”
  • Measurable (quantify or at least suggest an indicator of progress): it is not clear how it can be measured (e.g.: Define and establish how many guidelines?). Here you can use, for example, “Define and establish the general guidelines of information security in the company based on ISO 27001 standard,…”, because by using the standard as a reference you will be able to measure progress (e.g., how many items were covered?)
  • Achievable (state what results can realistically be achieved, given available resources): This one cannot be properly evaluated without knowing your context (this is a subjective evaluation by your top management, normally considering the measurable objective and the proposed deadline).
  • Relevant (how it impacts the business): It is not clear how this objective can benefit the organization (e.g., a decrease of quantity and/or impact of incidents, increase in productivity or competitiveness, etc.).
  • Time-related (specify when the result(s) can be achieved: It is not clear when the objective must be achieved (e.g., by the end of the year, by the end of the semester, etc.)

  These articles will provide you a further explanation about Objectives in ISO 27001:

  • ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
    Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

  These materials will also help you regarding Objectives in ISO 27001:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Model of safety dashboard

  I’m assuming you are referring to a security dashboard.

  Considering that, ISO 27001 does not prescribe the development of dashboards, only that objectives be defined. 

  To build information security indicators I suggest you see these materials:
  - Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
  - Measurement Report https://advisera.com/27001academy/documentation/measurement-report/

  These articles will also help you:
  - How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
  - ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

   This material may also help you:
  - Measurement Report https://advisera.com/27001academy/documentation/measurement-report/

• Mandatory Documents

  Please note that regarding controls from Annex A, you can have 3 scenarios:
  1) The control is not applicable – in this case do document needs to be written

  2) The control is applicable and the document related to the control is mandatory – the control requires activities to be performed and documented, so a document needs to be written
  3) The control is applicable and the document related to the control is not mandatory - the control requires activities to be only performed, so no document needs to be written, it can be implemented only through performing activities

  The scenario 2 is the case for the documents related to the controls listed in the mandatory documents. If those controls are identified as applicable, you need to develop the related documents, or you will not be compliant with the control.

  These articles will provide you a further explanation about ISO 27001 controls:
  - A quick guide to ISO 27001 controls from Annex A https://advisera.com/27001academy/iso-27001-controls/
  - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

  These materials will also help you regarding ISO 27001 controls:
  - ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
  - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• Approaches to meet ISO 27001 requirements

  I’m assuming that your question is about the implementation steps of your purchased toolkit.

  Considering that, you need to follow the steps from the toolkit, i.e., implementing the documents in the order of presented folders and documents, and to ensure people are mature in the ISMS process you need to make them aware that they need to comply with all policies and procedures. 

  These materials will also help you regarding ISO 27001 implementation:
  - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
  - How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-27001-free-webinar-on-demand/
  - Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
  - ISO 27001 Documentation Toolokit https://advisera.com/27001academy/iso-27001-documentation-toolkit/
  - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

• Risk assessment question

  1 - But if that vendor was left outside of the scope, would they still be part of the risk assessment? Would it still come up?

  Answer: Please note that vendors must be included in the risk assessment if they can influence the confidentiality, integrity and availability of information within the scope - e.g. Amazon AWS (external vendor) can influence the data on the virtual server (that is included in the scope), therefore it needs to be included in the risk assessment. 

  For further information, see: 
  - How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

  2 - My concern would be that if we depend on a vendor to provide a secure service, but it's not in our control so we leave it out of our scope, how would we consider and manage it? Sounds like a loophole. 

  I suppose we shouldn't want to leave a vital process outside of our control to begin with, but am still wondering if there could be a loophole there... 

  Answer: When some of your processes are handled by vendors, you can ensure control over them by defining proper information security clauses in the contracts signed with them, or by evaluating if their offered service agreements have all the clauses you need to ensure your information is protected.

  For further information, see:
  - 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
  - Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

  3 - I get why a scope has to be chosen early, but if the risk assessment comes after the scope, it just seems to me that a vital asset or vulnerability could be left out of consideration. Which would mean a different risk management framework would be needed apart from ISO 27001?

  I might be going down the rabbit hole here. I really appreciated the webinar and guidance so far! It has helped me out a lot so far.

  Answer: First is important to note that organizations may adopt risk management approaches that do not make use of assets and vulnerabilities (e.g., because they use a process-based, or scenario-based, risk assessment).

  Considering that, if the scope is properly based on the organizational context, legal requirements, and interested parties, it is unlikely, when using the asset-threat-vulnerability risk assessment approach, that relevant assets or vulnerabilities will be no be identified. In case this occurs, you should review your initial assumptions about the scope, so there is no need to use a different risk management framework.

  These articles will provide you a further explanation about context identification:

  - How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
  - How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
  - How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

  These materials will also help you regarding ISO 27001:
  - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

• ISO 14001 Examples of providing a strategy for determining the scope of an EMS

  I see such variability in certification bodies’ policy about the scope of an environmental management system (EMS) that I recommend contacting your potential certification bodies in order to ask their opinion about your potential choices for the scope.

  If this toy manufacturing company has a brand, perhaps it is better to certify all factories, in order to use that in the marketing effort. If this toy manufacturing company has production units working for cost-sensitive clients (B2B) and production units working for demanding clients (B2B) perhaps these latter units are candidates for having an EMS.

  Please find more information below:

  • Article - How to determine the scope of the EMS according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/02/01/how-to-determine-the-scope-of-the-ems-according-to-iso-140012015/
  • You can also attend this free course – ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

• Annual Internal audit schedule

  ISO 14001:2015, clause 9.2.2, states that “an organization should establish, implement and maintain an internal audit program (s)”. An audit program is a set of one or more audits planned for a specific time frame”, according to ISO 9000:2015.

  So, your phrase means that the “EMS Management Representative or designate” should, every year, issue an internal audit program scheduling all audits to be performed, and with what scope for each in order to audit all ISO 14001 requirements.

  Please check this article about ISO 9001, but applicable to ISO 14001 too - What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/ and this figure:

  

  You can find practical information in the links below:

  • Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
  • Free webinar on demand - How to perform an ISO 14001:2015 internal audit - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar-on-demand/
  • You can also attend this free course – ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/